If that is true, you would have to look for more than just the semi-colon. The semi-colon could be used in a legitimate string. I was going to say you could look for ;drop or ;insert etc, but I think there would still be other ways to do damage via SQL. The user could do the semi-colon and then a case statement or something other than the expected drop/delete keyword. At least I think they could do this.
At 11:50 AM 03/09/02 -0700, you wrote: >I might be way off here, but wouldn't you just need to screen for >semi-colons? In order to hack a query the user would have to enter a >semi-colon to end the current statement and begin one of their own... > >+-----------------------------------------------+ >Bryan Love > Macromedia Certified Professional > Internet Application Developer > Database Analyst >TeleCommunication Systems >[EMAIL PROTECTED] >+-----------------------------------------------+ > >"...'If there must be trouble, let it be in my day, that my child may have >peace'..." > - Thomas Paine, The American Crisis > > > >-----Original Message----- >From: Brook Davies [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 03, 2002 11:54 AM >To: CF-Talk >Subject: SQL Injection Attacks (scrubbers cont.) > > >I have been trying to use the UDF below, which I got from >http://www.cflib.org/udf.cfm?ID=612&enable=0. > >The problem is this UDF will return true whenever a field contains the word >delete, drop, insert etc. Or when it contains a single quote character. >This doesn't really work very well since a user could submit the valid >value: "we'll update the price later and drop by to talk". Which would >return true for an injection attach using this UDF. > >Anybody have any ideas on how we could go about updating this UDF to be bit >more accurate? > > ><cfscript> >/** > * Tests a string, one-dimensional array, or simple struct for possible >SQL injection. > * > * @param input String to check. (Required) > * @return Returns a boolean. > * @author Will Vautrain ([EMAIL PROTECTED]) > * @version 1, July 1, 2002 > */ >function IsSQLInject(input) { > /* > * The SQL-injection strings were used at the suggestion of Chris >Anley >[[EMAIL PROTECTED]] > * in his paper "Advanced SQL Injection In SQL Server Applications" >available for downloat at > * http://www.ngssoftware.com/ > */ > var listSQLInject = "select,insert,update,delete,drop,--,'"; > var arraySQLInject = ListToArray(listSQLInject); > var i = 1; > > for(i=1; i lte arrayLen(arraySQLInject); i=i+1) { > if(findNoCase(arraySQLInject[i], input)) return true; > } > > return false; >} ></cfscript> > > > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
